The scenario I'm faced with is I need to access Active Directory properties for a user and the groups of which they are a member from a web server in a DMZ which is not joined to the domain. Our infrastructure team have opened LDAPS connectivity to one specific domain controller for this purpose which I can call by it's DNS name. (I originally wrote this code using a PrincipalContext, but this was generating referred queries to other domain controllers and failing due to firewall restrictions, hence I'm dropping down to the lower level DirectoryServices API).
Specifically what I want to be able to do is ask a specific domain controller for a list of the members of a security group whose SID I have as a string.
I can connect to the specific domain controller to create a root DirectoryEntry like this:
var root = new DirectoryEntry("LDAP://mydc.mydomain.com");
...and from there I can create a DirectorySearcher to search for a group by name like so:
var searcher = new DirectorySearcher(root) {
Filter = "(&(object=(objectCategory=group)(cn=Group Name))"
}
This works fine, but I'm struggling to find an equivalent syntax for searching by a SID. Most threads I've found suggest this syntax for directly instantiating the DirectoryEntry based on the SID itself:
new DirectoryEntry(string.Format("LDAP://<SID={0}>", sid))
...but I can't find any example where I can specify both the domain controller to use for the search and the SID to search for. Grateful if anyone could give me a nudge in the right direction.